CVE-2025-30204

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30204
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
https://security.netapp.com/advisory/ntap-20250404-0002/
Configurations

No configuration.

History

10 Apr 2025, 13:15

Type Values Removed Values Added
References
  • () https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb -
Summary (en) golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. (en) golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

04 Apr 2025, 23:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20250404-0002/ -
References
  • () https://security.netapp.com/advisory/ntap-20250404-0002/ -
Summary
  • (es) golang-jwt es una implementación de Go de tokens web JSON. En versiones anteriores a la 5.2.2 y la 4.5.2, la función parse.ParseUnverified divide (mediante una llamada a strings.Split) su argumento (que contiene datos no confiables) en puntos. Como resultado, ante una solicitud maliciosa cuyo encabezado de autorización consiste en "Bearer" seguido de muchos puntos, una llamada a dicha función genera asignaciones de O(n) bytes (donde n representa la longitud del argumento de la función), con un factor constante de aproximadamente 16. Este problema se solucionó en las versiones 5.2.2 y 4.5.2.

21 Mar 2025, 22:15

Type Values Removed Values Added
New CVE
References
  • {'url': 'https://security.netapp.com/advisory/ntap-20250404-0002/', 'source': 'af854a3a-2127-422b-91ae-364da2661108'}
Information

Published : 2025-03-21 22:15

Updated : 2025-04-10 13:15

NVD link : CVE-2025-30204

Mitre link : CVE-2025-30204

CVE.ORG link : CVE-2025-30204

JSON object : View

Products Affected

No product.

CWE
CWE-405

Asymmetric Resource Consumption (Amplification)